From nobody@FreeBSD.org  Wed Feb 24 00:59:00 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6A9BC1065676
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 24 Feb 2010 00:59:00 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 536928FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 24 Feb 2010 00:59:00 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o1O09vc2015288
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 24 Feb 2010 00:09:57 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o1O09vFQ015287;
	Wed, 24 Feb 2010 00:09:57 GMT
	(envelope-from nobody)
Message-Id: <201002240009.o1O09vFQ015287@www.freebsd.org>
Date: Wed, 24 Feb 2010 00:09:57 GMT
From: Vincent Bolinard <vinzstyle@free.fr>
To: freebsd-gnats-submit@FreeBSD.org
Subject: in openpam_load_module(): no /usr/local/lib/pam_pwdfile.so found
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         144247
>Category:       ports
>Synopsis:       security/pam_pwdfile: in openpam_load_module(): no /usr/local/lib/pam_pwdfile.so found
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 24 01:00:10 UTC 2010
>Closed-Date:    Thu May 20 08:55:19 UTC 2010
>Last-Modified:  Thu May 20 08:55:19 UTC 2010
>Originator:     Vincent Bolinard
>Release:        8.0-RELEASE
>Organization:
>Environment:
FreeBSD example.domain.com 8.0-RELEASE FreeBSD 8.0-RELEASE #4: Sun Dec 13 07:30:40 CET 2009     root@server-new.vinzland.net:/usr/obj/usr/src/sys/DEDIBOX  i386
>Description:
I can't authenticate against a password file when I use pam_pwdfile-0.99
with vsftpd :

Feb 23 23:37:01 example vsftpd: in openpam_load_module(): no /usr/local/lib/pam_pwdfile.so found

But the file exists :

[root@example /var/log]# ls -l /usr/local/lib/pam_pwdfile.so
-r--r--r--  1 root  wheel  7432 Feb 23 22:35 /usr/local/lib/pam_pwdfile.so

Can somebody help ?

Thanks.
>How-To-Repeat:
Configure vsftpd to use pam_pwdfile to authenticate and try to log in.
>Fix:


>Release-Note:
>Audit-Trail:

From: "Mikhail T." <mi+thun@aldan.algebra.com>
To: mschout@gkg.net
Cc: bug-followup@FreeBSD.org, vinzstyle@free.fr
Subject: Re: ports/144247: security/pam_pwdfile: in openpam_load_module():
 no /usr/local/lib/pam_pwdfile.so found
Date: Tue, 16 Mar 2010 20:21:34 -0400

 This is a multi-part message in MIME format.
 --------------040904050002070003030202
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Michael, are you aware of this problem?
 
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144247
 
 I suspect, the error message is misleading and the problem is not that 
 it the module is not found, but that it can not be loaded -- because of 
 the missing symbols like Goodcrypt_md5 and bigcrypt. The port only 
 includes one of the author's source-files (the pam_pwdfile.c), but 
 ignores the others -- md5.c, bigcrypt.c...
 
 Please, advise. Thanks! Yours,
 
     -mi
 
 --------------040904050002070003030202--

From: Michael Schout <mschout@gkg.net>
To: "Mikhail T." <mi+thun@aldan.algebra.com>
Cc: bug-followup@FreeBSD.org, vinzstyle@free.fr
Subject: Re: ports/144247: security/pam_pwdfile: in openpam_load_module():
 no /usr/local/lib/pam_pwdfile.so found
Date: Tue, 16 Mar 2010 20:47:05 -0500

 pam_pwdfile 0.99 was completely broken.
 
 See http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138483
 
 It was fixed in 0.99_1
 
 You need to update your ports tree, and update pam_pwdfile to 0.99_1,
 which includes the missing files.
 
 Regards,
 Michael Schout

From: "Mikhail T." <mi+thun@aldan.algebra.com>
To: Michael Schout <mschout@gkg.net>
Cc: bug-followup@FreeBSD.org, vinzstyle@free.fr
Subject: Re: ports/144247: security/pam_pwdfile: in openpam_load_module():
 no /usr/local/lib/pam_pwdfile.so found
Date: Wed, 17 Mar 2010 01:37:24 -0400

 This is a multi-part message in MIME format.
 --------------050700090802020506010109
 Content-Type: multipart/alternative;
  boundary="------------060907010903060804060708"
 
 
 --------------060907010903060804060708
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 On 16.03.2010 21:47, Michael Schout wrote:
 > pam_pwdfile 0.99 was completely broken.
 >
 > Seehttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138483
 >
 > It was fixed in 0.99_1
 >    
 Ok, cool. So the 144247 can be closed now?
 
 That said, I'm not sure about Linux, but on FreeBSD crypt(3) implements 
 several algorithms by itself -- including the original (DES), and md5.
 
 If you have a working installation using this pam-module, would you care 
 to test the attached changes? The patch-bsd-crypt just needs to be 
 dropped into files/. The Makefile.bsd replaces the one currently 
 there... This would reduce the size of the module while and expanding 
 the set of algorithms...
 
 Thanks! Yours,
 
     -mi
 
 --------------060907010903060804060708--
 
 --------------050700090802020506010109
 Content-Type: text/plain;
  name="Makefile.bsd"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="Makefile.bsd"
 
 # inspired from pam-pgsql port :-)
 
 SRCS=	pam_pwdfile.c \
 	bigcrypt.c \
 	md5.c \
 	md5_crypt.c
 
 SHLIB_NAME=	pam_pwdfile.so
 
 LDADD=		-lpam -lcrypt
 CFLAGS+=	-Wall -D_BSD_SOURCE
 CFLAGS+=	-D'MD5Name(x)=Broken\#\#x'
 
 LIBDIR=		${LOCALBASE}/lib
 
 .include <bsd.lib.mk>
 
 
 --------------050700090802020506010109
 Content-Type: text/plain;
  name="patch-bsd-crypt"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="patch-bsd-crypt"
 
 --- pam_pwdfile.c	2003-12-20 14:21:19.000000000 -0500
 +++ pam_pwdfile.c	2010-03-17 00:49:38.000000000 -0400
 @@ -42,7 +42,7 @@
   * OF THE POSSIBILITY OF SUCH DAMAGE.
   */
  
 -#include <features.h>
 +
  #include <syslog.h>
  #include <stdarg.h>
  #include <stdio.h>
 @@ -234,6 +234,13 @@
      int use_flock = 0;
      int use_delay = 1;
      int temp_result = 0;
 +    int i;
 +    const char * const crypt_methods[] = {
 +	"des",
 +	"md5",
 +	"blf",	/* Blowfish */
 +	"nth"	/* Windows NT-hash scheme */
 +    };
      
      /* we require the pwdfile switch and argument to be present, else we don't work */
      /* pcnt is the parameter counter variable for iterating through argv */
 @@ -340,6 +347,7 @@
  	fclose(pwdfile);
  	return PAM_AUTHINFO_UNAVAIL;
      }
 +    fclose(pwdfile);
      
      /* DEBUG */
      D(_pam_log(LOG_ERR,"got crypted password == '%s'", stored_crypted_password));
 @@ -344,50 +352,56 @@
      /* DEBUG */
      D(_pam_log(LOG_ERR,"got crypted password == '%s'", stored_crypted_password));
      
 -    
      temp_result = 0;
      
 -    /* Extract the salt and set the passwd length, depending on MD5 or DES */
 -    if (strncmp(stored_crypted_password, "$1$", 3) == 0) {
 -	D(_pam_log(LOG_ERR,"password hash type is 'md5'"));
 -	/* get out the salt into "salt" */
 -	strncpy(salt, stored_crypted_password, 11);
 -	salt[11] = '\0';
 -	stored_crypted_password[CRYPTED_MD5PWD_LEN] = '\0';
 -	/* try both md5 crypts */
 -	crypted_password = Goodcrypt_md5(password, salt);
 -	if (strcmp(crypted_password, stored_crypted_password) == 0)
 -	{
 +    /*
 +     * First go through the methods supported by crypt(3)
 +     */
 +    for (i = 0; i < sizeof(crypt_methods)/sizeof(*crypt_methods); i++) {
 +	if (!crypt_set_format(crypt_methods[i])) {
 +	    D(_pam_log(LOG_ERR, "Method '%s' unknown to crypt-implementation",
 +		crypt_methods[i]));
 +	    continue;
 +	}
 +        crypted_password = crypt(password, stored_crypted_password);
 +	if (strcmp(stored_crypted_password,
 +	    crypted_password) == 0) {
  	    temp_result = 1;
 +	    D(_pam_log(LOG_ERR, "password hash type is '%s'",
 +		crypt_methods[i]));
 +	    goto solved;
  	}
 -	else
 -	{
 +    }
 +
 +    /*
 +     * Check other odd methods, not currently supported by
 +     * BSD's crypt(3), but only if something hints at their
 +     * use.
 +     */
 +    if (strncmp("$1$", stored_crypted_password, 3) == 0) {
  	    crypted_password = Brokencrypt_md5(password, salt);
 -	    if (strcmp(crypted_password, stored_crypted_password) == 0)
 -	    {
 +	if (strcmp(crypted_password, stored_crypted_password) == 0) {
 +	    D(_pam_log(LOG_ERR, "password hash type is '%s'",
 +		"brokenmd5"));
  		temp_result = 1;
 +	    goto solved;
  	    }
 -	}
 -    } else {
 +    } else if (strlen(stored_crypted_password) > CRYPTED_DESPWD_LEN) {
  	/* get the salt out into "salt" */
  	strncpy(salt, stored_crypted_password, 2);
  	salt[2] = '\0';
  	stored_crypted_password[CRYPTED_BCPWD_LEN] = '\0';
  
 -	if (strlen(stored_crypted_password) <= CRYPTED_DESPWD_LEN) {
 -	    D(_pam_log(LOG_ERR,"password hash type is 'crypt'"));
 -	    crypted_password = crypt(password, salt);
 -	} else {
 -	    D(_pam_log(LOG_ERR,"password hash type is 'bigcrypt'"));
 -	    crypted_password = bigcrypt(password, salt);
 -	}
 +	crypted_password = bigcrypt(password, salt);
  
  	if (strcmp(crypted_password, stored_crypted_password) == 0)
  	{
 +	    D(_pam_log(LOG_ERR,"password hash type is 'bigcrypt'"));
  	    temp_result = 1;
  	}
      }
      
 +solved:
      /* DEBUG */
      D(_pam_log(LOG_ERR,"user password crypted is '%s'", crypted_password));
      
 @@ -395,7 +409,6 @@
      if (!temp_result) 
      {
  	_pam_log(LOG_ERR,"wrong password for user %s",name);
 -	fclose(pwdfile);
  	return PAM_AUTH_ERR;
      }
      
 @@ -403,7 +416,6 @@
      D(_pam_log(LOG_ERR,"passwords match"));
      
      /* we've gotten here, i.e. authentication was sucessful! */
 -    fclose(pwdfile);
      return PAM_SUCCESS;
  }
  
 
 
 --------------050700090802020506010109--
 
State-Changed-From-To: open->feedback 
State-Changed-By: mi 
State-Changed-When: Wed Mar 17 16:00:51 UTC 2010 
State-Changed-Why:  
Vincent, please, confirm, that the current version of the 
port (0.99_1) builds a usable module for you. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144247 

From: Michael Schout <mschout@gkg.net>
To: "Mikhail T." <mi+thun@aldan.algebra.com>
Cc: bug-followup@FreeBSD.org, vinzstyle@free.fr
Subject: Re: ports/144247: security/pam_pwdfile: in openpam_load_module():
 no /usr/local/lib/pam_pwdfile.so found
Date: Thu, 18 Mar 2010 07:59:52 -0500

 > Ok, cool. So the 144247 can be closed now?
 
 Yes.
 
 Regards,
 Michael Schout
State-Changed-From-To: feedback->closed 
State-Changed-By: stefan 
State-Changed-When: Thu May 20 08:54:12 UTC 2010 
State-Changed-Why:  
Submitter timeout, and maintainer reports the problem is fixed and the PR can be 
closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144247 
>Unformatted:
